Virus Problem

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Hi cubsfan1004
Welcome to TSG :)

We use a tool here to identify and then help remove infections and homepage hijackers. It's called Hijack This.

Download it here: http://thespykiller.co.uk/files/hijackthis_sfx.exe

Let it extract to C:\Program Files

Close out any open web browsers.
After it downloads and unzips, navigate to C:\Program Files\HijackThis.

Double click on the HijackThis.exe
Hit "do a system scan only"
When that finishes, hit "save log"
The log will open in Notepad
Go to Edit>Select All
Then Edit>Copy
Come back to this thread
Go to Edit>Paste

The log will now be pasted here for us to review.

Do not fix anything yet!
 

cubsfan1004

Thread Starter
Joined
Jun 25, 2005
Messages
12
Logfile of HijackThis v1.99.1
Scan saved at 11:46:20 PM, on 6/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUPPORT.COM\CLIENT\BIN\TGCMD.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DRAG'N DROP CD\BINFILES\DRAGDROP.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\HNMALP.EXE
C:\WINDOWS\SYSTEM\YANNKF.EXE
C:\WINDOWS\SYSTEM\ELITECHF32.EXE
C:\WINDOWS\SYSTEM\JOBIU.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\JGPNEW.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS_SFX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hnmalp.exe reg_run
O4 - HKLM\..\Run: [yannkf] c:\windows\system\yannkf.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITECHF32.EXE
O4 - HKLM\..\Run: [o27j36O] JOBIU.EXE
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Z1otRWipR] JGPNEW.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: rpta.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
That was fast ;)

Well there are quite a few problems.
Lots of malware and the Qoologic trojan.
We will need a Moderator to jump in for that one.
Let's do as much cleaning up as we can.

Uninstall the following from Add/Remove Programs:
180solutions
AutoUpdater
EliteToolBar
Media Access

Then download and run the following programs:

Ad-Aware SE: http://www.majorgeeks.com/download506.html

Install the program and launch it.
First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.
Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.
Then, deselect Search for negligible risk entries.
To start the scan, click the Next button.
When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next).

Reboot.

SpyBot S&D: http://www.majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode).
Click online, Search for updates, Download all available updates.
Close all Browser windows, Click ''Check for Problems''.
Anything that it finds, Click ''Fix Selected Problems''.

Reboot again.

Post a new Hijack This log.
 

cubsfan1004

Thread Starter
Joined
Jun 25, 2005
Messages
12
Logfile of HijackThis v1.99.1
Scan saved at 12:56:43 AM, on 6/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\WINDOWS\SYSTEM\ICONSPY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\DRAG'N DROP CD\BINFILES\DRAGDROP.EXE
C:\PROGRAM FILES\NETGEAR\WG511SCU\UTILITY\GEAR511.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINTASK.EXE
C:\WINDOWS\HNMALP.EXE
C:\WINDOWS\SYSTEM\YANNKF.EXE
C:\WINDOWS\SYSTEM\ELITECHF32.EXE
C:\WINDOWS\SYSTEM\JOBIU.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\JGPNEW.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hnmalp.exe reg_run
O4 - HKLM\..\Run: [yannkf] c:\windows\system\yannkf.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITECHF32.EXE
O4 - HKLM\..\Run: [o27j36O] JOBIU.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Z1otRWipR] JGPNEW.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: rpta.exe
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL
 

cubsfan1004

Thread Starter
Joined
Jun 25, 2005
Messages
12
Logfile of HijackThis v1.99.1
Scan saved at 1:13:56 AM, on 6/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\WINDOWS\SYSTEM\ICONSPY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\DRAG'N DROP CD\BINFILES\DRAGDROP.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\NETGEAR\WG511SCU\UTILITY\GEAR511.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\YANNKF.EXE
C:\WINDOWS\SYSTEM\JOBIU.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\JGPNEW.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RPTA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [yannkf] c:\windows\system\yannkf.exe
O4 - HKLM\..\Run: [o27j36O] JOBIU.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hnmalp.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Z1otRWipR] JGPNEW.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: rpta.exe
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Download FindQoologic-Narrator.zip save it to your Desktop.
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.
it will take between 10 & 15 minutes to run through normally so don't panic and don't close the file until the file.txt pops up

the first one to open will be list.txt please ignore that one & wait for file.txt

If you get a message when you first run it "Can not find script file C:\DOCUME~1\USER NAME \LOCALS~1\Temp\Activesetup.vbs" that happens sometimes when it creates the temp files it needs to run properly. Just close the application & then double click the bat file again and it will run properly
 

cubsfan1004

Thread Starter
Joined
Jun 25, 2005
Messages
12
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\HNMALP.EXE
* aspack C:\WINDOWS\DROAXMD.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\RPTA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
C:\WINDOWS\All Users\Start Menu\Programs\StartUp

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Download AdAware SE 1.06 from http://www.lavasoft.com and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [yannkf] c:\windows\system\yannkf.exe
O4 - HKLM\..\Run: [o27j36O] JOBIU.EXE

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hnmalp.exe reg_run

O4 - HKCU\..\Run: [Z1otRWipR] JGPNEW.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - Startup: rpta.exe

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL


now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select delet on reboot , press the red X button, say yes to the prompt and NO to reboot now then repeat for each file in turn


C:\WINDOWS\HNMALP.EXE
C:\WINDOWS\DROAXMD.EXE
C:\WINDOWS\startm~1\programs\startup\RPTA.EXE
C:\TEMP\STUBINSTALLER6480.EXE
c:\windows\system\JGPNEW.EXE
c:\windows\system\JOBIU.EXE
c:\windows\system\yannkf.exe
C:\WINDOWS\SYSTEM\wintask.exe
C:\WINDOWS\SYSTEM\exp
C:\WINDOWS\CFGMGR52.DL
C:\WINDOWS\SYSTEM\PSof1.exe
C:\WINDOWS\CERES.DLL


Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

delete these folders

C:\PROGRAM FILES\CAS\

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then reboot and when it reboots

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R51 21.06.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


Reboot &

Run an online antivirus check from at least one and preferably 2 of the following sites

http://www.kaspersky.com/beta?product=161744315 ( with this one as it's abeta product, they ask for a name & email, just put any email in and any name and company it isn't checked on and they have just used the standard beta page as a doorway to it )
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/onlineviruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp
 
Joined
Jul 26, 2002
Messages
46,349
You need to stop posting new threads for this same problem. Derek is helping you here.

Have you done what he suggested in his last post?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top